Nation-state malware campaign Decoy Dog detected

Share post:

Security researchers at Infoblox have detected a new malware campaign they are calling Decoy Dog. The campaign has all the hallmarks of an espionage campaign, but the researchers have not been able to determine the identity of the nation-state behind it.

The campaign appears to be using a modified version of the open-source remote access tool Pupy. Pupy is a powerful tool that can be used to control a device remotely, and it can bypass detection from most antivirus applications. Decoy Dog builds on Pupy by adding new features that make it more difficult to detect.

Pupy is designed to provide continuous communications between infected clients and the server so that when the actor wants to remotely access the client, the connection is already established. The actor is able to monitor connected clients and selectively command them to provide a wide range of actions. The DNS is used only for C2 communications.

Any significant data exfiltrated from the client is sent over one of the many other transport options offered by Pupy. As a result, the Pupy DNS client is restricted to checking in with the controller, acknowledging commands, providing system information, and a handful of other duties.

Infoblox estimates that more than 100 devices have already been infected with Decoy Dog. The company believes that as many as four groups could be deploying the malware. Many of the suspicious domain names linked to the campaign are tied to Russian IP addresses, according to the report, but researchers can’t say with certainty that Russia is behind the attack. But Infoblox has only discovered the underlying foundation of the campaign so far.

The sources for this piece include an article in Axios.

SUBSCRIBE NOW

Related articles

Cyber Security Today, May 24, 2024 – A threat actor leverages Windows BitLocker in ransomware attacks, beware of ORB networks, and more

A threat actor leverages Windows BitLocker in ransomware attacks, beware of ORB networks, and more. Welcome to Cyber Security...

Canada centralizing cybersecurity efforts of federal IT departments

Federal departments and agencies are making only marginal progress in improving their cyber maturity, Ottawa said Wednesday as...

Cyber Security Today, May 22, 2024 – LockBit ransomware gang hits more victims, Fluent Bit servers need to be updated, and more

LockBit ransomware gang hits more victims, Fluent Bit servers need to be updated, and more. Welcome to Cyber Security...

Google criticizes Microsoft’s security practices in new report

Google has publicly criticized Microsoft for a series of security missteps, suggesting that organizations might consider more secure...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways